From 8f909199c4964a4f501520bb687d88471daf6af6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 Aug 2012 18:32:18 +1000 Subject: [PATCH] s4-samba-tool: Add 'samba-tool ntacl sysvolreset' tool This will reset the NT ACL on the sysvol share to the default from provision, with GPO objects matching the LDAP ACL (as required). Andrew Bartlett --- .../scripting/python/samba/netcmd/ntacl.py | 74 ++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py index 09c1ce00325..81217b76d6b 100644 --- a/source4/scripting/python/samba/netcmd/ntacl.py +++ b/source4/scripting/python/samba/netcmd/ntacl.py @@ -18,10 +18,13 @@ from samba.credentials import DONT_USE_KERBEROS import samba.getopt as options -from samba.dcerpc import security +from samba.dcerpc import security, idmap from samba.ntacls import setntacl, getntacl from samba import Ldb from samba.ndr import ndr_unpack +from samba.samdb import SamDB +from samba.samba3 import param as s3param, passdb, smbd +from samba import provision from ldb import SCOPE_BASE import os @@ -109,10 +112,79 @@ class cmd_ntacl_get(Command): acl.dump() +class cmd_ntacl_sysvolreset(Command): + """Reset sysvol ACLs to defaults (including correct ACLs on GPOs)""" + synopsis = "%prog [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "credopts": options.CredentialsOptions, + "versionopts": options.VersionOptions, + } + + takes_options = [ + Option("--use-ntvfs", help="Set the ACLs for use with the ntvfs file server", action="store_true"), + Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server", action="store_true") + ] + + def run(self, use_ntvfs=False, use_s3fs=False, + credopts=None, sambaopts=None, versionopts=None): + lp = sambaopts.get_loadparm() + path = lp.private_path("secrets.ldb") + creds = credopts.get_credentials(lp) + creds.set_kerberos_state(DONT_USE_KERBEROS) + logger = self.get_logger() + + netlogon = lp.get("path", "netlogon") + sysvol = lp.get("path", "sysvol") + try: + samdb = SamDB(session_info=system_session(), + lp=lp) + except Exception, e: + raise CommandError("Unable to open samdb:", e) + + if not use_ntvfs and not use_s3fs: + use_ntvfs = "smb" in lp.get("server services") + elif use_s3fs: + use_ntvfs = False + + domain_sid = security.dom_sid(samdb.domain_sid) + + s3conf = s3param.get_context() + s3conf.load(lp.configfile) + # ensure we are using the right samba4 passdb backend, no matter what + s3conf.set("passdb backend", "samba4:%s" % samdb.url) + + LA_sid = security.dom_sid(str(domain_sid) + +"-"+str(security.DOMAIN_RID_ADMINISTRATOR)) + BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS) + + s4_passdb = passdb.PDB(s3conf.get("passdb backend")) + + # These assertions correct for current plugin_s4_dc selftest + # configuration. When other environments have a broad range of + # groups mapped via passdb, we can relax some of these checks + (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid) + if (LA_type != idmap.ID_TYPE_UID and LA_type != idmap.ID_TYPE_BOTH): + raise CommandError("SID %s is not mapped to a UID" % LA_sid) + (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid) + if (BA_type != idmap.ID_TYPE_GID and BA_type != idmap.ID_TYPE_BOTH): + raise CommandError("SID %s is not mapped to a GID" % BA_sid) + + if use_ntvfs: + logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL") + + provision.setsysvolacl(samdb, netlogon, sysvol, + LA_uid, BA_gid, domain_sid, + lp.get("realm").lower(), samdb.domain_dn(), + lp, use_ntvfs=use_ntvfs) + + class cmd_ntacl(SuperCommand): """NT ACLs manipulation""" subcommands = {} subcommands["set"] = cmd_ntacl_set() subcommands["get"] = cmd_ntacl_get() + subcommands["sysvolreset"] = cmd_ntacl_sysvolreset()